New tools automate cyber criminals’ attempts to take over corporate accounts

Nearly all of the largest organizations throughout the world had their credentials exposed by cyber criminals last year, a new study has found.

The study, done by London- and San Francisco-based Digital Shadows, which provides clients with information about their external digital risks, determined that 97 percent of the world’s largest 1,000 organizations had credentials exposed.

Account takeover occurs when a malicious actor gains access to a user’s account by stealing user name/email and password credentials, often through password dumps, phishing or malware.

The most common targets, the study found, are organizations in the gaming, technology, broadcasting and retail industries, but other businesses are not immune.

“The most targeted sites—popular gaming, technology and media websites—were not a huge surprise,” says Michael Marriott, a research analyst at Digital Shadows. “Most surprising was the inclusion of education platforms, which demonstrates that low-level cyber criminals are sometimes after more than just online gaming accounts, retailers and free pizza.”

Digital Shadows’ study, which found more than 30,000 reported instances of credential exposure, found that SentryMBA is the most discussed credential-stuffing tool on criminal forums. It is praised for its ability to defeat anti-fraud measures like blacklists and CAPTCHA controls.

SentryMBA appears to be very effective and has “developed a strong ecosystem around it, with a sea of participants willing to provide configuration files,” Marriott says. “SentryMBA lowers the entry barriers for account takeovers, making it very popular with the less skilled cyber criminal.”

The price to buy credentials depends on “a range of factors, including their freshness and geography of accounts,” Marriott says. “Higher-tier cyber criminals will maximize their activities while the stolen credentials are newly exposed. Once they have completed their campaigns, they will then sell them off.”

Criminals don’t have to spend much

Lower-level cyber criminals “will favor the cheap databases that have been on the market for a few years,” he says. “There are so many credentials publicly available that most actors won’t need to spend a cent.”

The LinkedIn database was offered for sale last year “on a dark web marketplace” for $2,280, Marriott says. But now it can be bought for as low as $4.

“It’s a classic case of supply and demand,” he says. “With well over 3 billion credentials publicly available, it’s no surprise that the price will be pushed down.”

What new credential-stuffing methods might we see in the future?

“As organizations gain awareness of the risk of credential stuffing, tools may look to incorporate new ways to avoid detection,” Marriott says. “You can expect to see the evolution of obfuscation designed to hide the fact that credential-stuffing tools are attempting brute-force logins.”

Organizations must take extra steps

Big companies shouldn’t think that preventing a credential-stuffing attack is a simple task.

“When talking about account takeover, the response often is: ‘It’s easy. Just implement multifactor authentication,’ ” Marriott says. “Well, it’s not that simple. Implementing MFA can cause a lot of friction and is not a silver bullet. There are other things large companies can do. Deploying an inline Web Application Firewall, monitoring for users’ leaked credentials, and increasing user awareness are all sensible measures.”

Smaller organizations can set up Google alerts for mentions of their organizations on malicious hacker forums, Marriott says.

“It’s an inexpensive way of gaining an understanding of an organization’s exposure,” he says. “Other free resources, such as haveibeenpwned.com, also give an idea when employees or customers have credentials compromised in breaches.”